Thanks all.
The effect seems to be exactly the same as the Avast article but with a different root cause, the redirect is even to the same IP, but I've grep'd the whole file system and there isn't a file with the IP in it. Also, I'm not running OptimizePress, so there is another vulnerability that WordFence can't see that isn't from that plugin doing the same thing, it is mobile only and it seems only on 1st access...
I'll keep looking!